Jul 15, 2014

How-To : myBRO Device Certificate and Private Key Retrieval

As of June 26, 2014 the PLDT/Smart Telco 4G wireless Internet Service Provider made its first clearing operation on its network and wireless system to eliminate the country's number one rampant in cloning the 4G wireless broadband CPEs. According to this forum the usual MAC address base authentication of the SMART myBRO 4G wireless modem is no long effective as of the said date, this is because the AAA is already been implemented such as the Device Certificate + Private Key + MAC address, if this three is not much on your Green Packet device such as DV235T and OX230 then you will no longer be welcome to the network. In short you will be denied to access to the Smart 4G Base Station, there's no way for you to use even the proxy server to bypass their portal.

Here's simple step on how to retrieve your myBRO 4G wireless broadband modem device certificate, private key and the mac address either via telnet or ssh make sure to enable port 23 or 22 to be able to get this terminal open.

Once you are login to the command line interface (cli) e.g. telnet or ssh, just type this following command respectively.

cd /etc


The ls /etc command is to view the list directory of the /etc now you will be able to see the filename wmx_client_ca.pem this is the device certificate and the wmx_priv_key.key filename  is the private key.

cat wmx_client_ca.pem


cat wmx_priv_key.key


After you have viewed the device certificate and the private key in plain text, you can copy paste this to notepad and save it as wmx_client_ca.pem, wmx_priv_key.key filename respectively. Now you already successfully retrieved your myBRO device certificate likewise the private key.

Additionally, the next command is if you wanted to retrieve your myBRO 4G wireless broadband WAN MAC address just type this command and you will prompted your device WAN MAC.

sncfg get WAN_MAC


I have included this extra screenshot because of some myBRO 4G Wireless broadband CPEs their device certificate and private key are hidden, just like on this screen. The Green Packet equipment which Chipset is MediaTek is embedded with Linux OS and therefore it is equip with tiny all in one Busybox you can use the tool to unhide the device certificate and the private key.

Jul 14, 2014

CIDG 7 seized P300K worth of LTE modems

Thursday, June 26, 2014

THE Criminal Investigation and Detection Group (CIDG) entrapped four persons for allegedly selling Internet modems without authority from a telecommunication company.


Some P300,000 worth of modems, antennas and cable cords for Internet installation were confiscated by the operatives Wednesday afternoon in Mandaue City.

The suspects work as sub-contractors for Globe Telecom.

The are identified as Israel John Brigoli Abenir, 25; Lemuel Galinato, 22; Orlando Rizaldo Mula, 27; and Roy Gonzales Aguelo, 45.

CIDG 7 Deputy Chief Fermin Armendarez explained that the sub-contractors install modems for clients to have Internet connections.

Globe

The operation was conducted based on the report of Globe Telecom Security Officer Ramil Manlosa.

Manlosa said his job is to monitor their customers’ Internet connection through their website.

Manlosa told police that he found modems being sold online while he was browsing the Internet last June 19.

He then informed Globe Telecom Security Head Manolito Zapata, who instructed the former to coordinate with the police.

Armendarez said Long-Term Evolution (LTE) modems cannot be sold because these are given for free to Globe Telecom Internet subscribers.

Armendarez led the entrpament at 3 p.m. in Barangay Labogon, Mandaue City.

Through the online website selling the modems, Manlosa ordered 20 gadgets.

He was immediately contacted by the administrator of the website.

Each modem was reportedly sold for P5,000.

But Manlosa said a modem costs about P10,000.

SPO1 Jackson Rivera acted as the buyer.

He met the four suspects during the delivery of the sold items.

As soon as the suspects handed Manlosa’s order, the other CIDG 7 operatives swooped down on the suspects.

LTE

Recovered from Abenir were nine LTE modems with power cord and five LTE antennas with a total market value of P90,000.

Seized from Galinato was an LTE modem worth P10,000.

Mula and Aguelo were also caught with 10 LTE modems with power cord, 10 LTE antennas, and 10 LAN cords worth P100,000.

It was only after the entrapment that Globe Telecom found out that the four suspects were working as their sub-contractors.

The modems that were sold were supposed to be distributed to Globe Telecom’s subscribers for their Internet installation.

Reporters tried to get a statement from any of the four suspects but they all declined to be interviewed.

A complaint for estafa is expected to be filed against the suspects.

They are currently detained at the CIDG 7 stockade. - Sunstar

Jun 21, 2014

8866 2288 6600 8800 9966 7700

Ever heard of domains such as 8866.org, 2288.org, 6600.org, 8800.org, 9966.org, and 7700.org? Me neither -- well, at least not until recently.


The latest zero-day exploit, which affects Microsoft Word, drops a Trojan that tries to connect to a host at 3322.org. Turns out that these particular domains are IP forwarders -- e.g. they let you register any available host at the domain and forward traffic to whichever IP address you prefer. Sounds like a great way for cyber criminals to keep their real attack systems on the move.

I learned about this over at F-Secure, where they explain a bit more about these domains.

When you see these domains in your URL filtering or Web access logs they should send up gigantic red flags in your mind. In my opinion they should be completely blocked unless you have a real good reason not to block them. Better safe than sorry. You can check this forum the Exploits that leads to Trojan Perkesh.

Jun 19, 2014

P&T Luxembourg Tests Alcatel-Lucent’s Zero-Touch Vectoring

P&T Luxembourg is testing Alcatel-Lucent's Zero-Touch Vectoring to evaluate how the technology can help the operator meet the national government’s "Ultra High BroadBand" plan - which aims at providing all Luxembourg residents with broadband speeds of 100 Mbps downstream and 50 Mbps upstream by 2015.

VDSL2 Vectoring is a noise-cancelling technology that removes the interference between the multiple VDSL2 lines, so that each VDSL2 line can operate at its best and deliver higher data transmission speeds. P&T Luxembourg is already deploying Alcatel-Lucent’s GPON and P2P-based fiber access solution. http://www.alcatel-lucent.com

In October 2012, Alcatel-Lucent introduced new signal processing software developed by Bell Labs that promises to shake up the business model for VDSL2.

The new ‘Zero Touch Vectoring’capability eliminates the need to upgrade every CPE in a copper node whenever the first customer opts for faster broadband access delivered over a VDSL2 vectored line. Previously, a carrier choosing to deploy VDSL2 Vectoring was required to upgrade every modem on the network in order to properly handle the crosstalk elimination.

Alcatel-Lucent introduced the first commercial VDSL2 Vectoring solution in September 2011, delivering 100 Mbps over existing copper loop lengths of 400 meters. VDSL2 vectoring uses digital signal processing to remove crosstalk between copper pairs in a bundle, similar to noise cancellation in headphones. From line cards at the central office or DSLAM, the system measures the crosstalk from all the lines in the bundle and then generates an anti-phase signal to cancel out the noise. Alcatel-Lucent developed its own chipset and software. The VDSL2 vectoring is delivered via a 48-port Board Level Vectoring card, a 48-port System Level Vectoring card, and a Vector Processing card supporting up to 384 ports.

Path traversal in TP-LINK WR740 and possibly others

Summary

TP-Link WR740 routers are vulnerable to a path traversal vulnerability on the web administration interface. Unauthenticated users are able to read any file from the device.

Description

Models: WR740N, WR740ND and possibly others.
Update: People have been reporting on forums that models WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,WR2543ND,MR3220,MR3020,WR841N are also based on the same HTTP daemon but we haven't been able to test it ourselves.
Firmware: 3.12.11 Build 111130 Rel.55312n and possibly others
Date: 26/05/2012
Severity: High
Impact: Disclosure of configuration and password files.
Attack vector: Remote. No auth required.
Solution: N/A

The router TP-Link WR740ND/WR740N has a HTTP server running on port 80 handling the web management interface.

There exists a path traversal vulnerability in the URI "/help" that allows attackers to read any file including configurations.

It is possible to read other configuration files if the services have been configured previously. (No-IP, DyDNS, Samba, NFS)

POC


After further research we discovered that the URL was posted before on some russian forum, but not mentioned as a vulnerability and specifying another model.

Paulino Calderón
calderon()websec.mx